The updates to the guidance aim to provide clarity on some of the main areas that can cause confusion for organisations who receive a subject access request (SAR), including clarifying the distinction between 'routine requests' and SARs and a reminder that SARs can be made via social media. We have summarised three areas of interest below:
Failure of the Requester to Engage
The guidance also provides clarity on what happens to requests where the requester has failed to engage with your organisation, for example by refusing to provide ID or respond to a clarification request. In these circumstances you may close the SAR after one month, but this is not a hard and fast deadline, and you should exercise judgement about what a reasonable period of time would be, given the context of the request and requester.
Organisations may refuse to respond to SARs that are manifestly excessive. Further detail has been given to assist organisations when assessing whether a SAR is manifestly excessive. The ICO recommends taking all the circumstances of the SAR into account and using those factors to determine whether the necessary response is proportionate when balanced with the burden or costs involved in dealing with the SAR.
Employers should still treat this provision with caution, as the threshold for "excessive" remains relatively high, and we consider that it is unlikely to apply to the vast majority of SARs received. Furthermore, a request will not necessarily be considered excessive simply because a large amount of information has been requested. Employers should consider asking for clarification from the requester as set out above.
An exemption that is widely and commonly used by employers when dealing with requests from employees is the confidential references exemption, which permits employers to withhold references (either received or given) in certain circumstances. The updated guidance explains that organisations should make it clear in their privacy notices whether references will be treated as confidential or otherwise. The ICO is recommending a policy of openness in relation to references as a preferable approach.
You may want to review your organisation's staff privacy notice, to ensure that it covers the treatment of references and that this reflects the approach that you take in practice. If your preference is to withhold references in response to a SAR then you should make it clear in the notice that references will be treated confidentially.
It is essential that organisations respond to SARs correctly. An employer should ensure the process of responding to a request, including seeking and obtaining clarification, is quick and efficient - waiting until the last minute before making a request for further information could make it difficult for you to meet the deadline, as the clock only stops after you have made the request for information. This may in turn give rise to complaints being made to the ICO.